Simplify the analysis of windows memory dumps or another tweak of the context menu
- From the sandbox
- Tutorial
Many users of windows operating systems sooner or later are faced with the need to find out why the favorite OS “falls into bsod”.
Much has already been written on the Internet about how to look for the cause and how it (depending on the situation), but what to do if you need to find out the reason as quickly as possible and you have to do it regularly like, for example, employees of services or regular computer forums?
Simplify the task can notorious tweaks of the context menu, the benefit they are made quite simple.
Since my task assumes that there are many and often dumps, you need to speed up the process as much as possible, while at the same time making it sufficiently informative for a cursory analysis.
As a basis for the future tweak, let's take a batch file that is enough to drag the necessary dump.
For better perception of information, in my understanding, I inverted the colors of the console and set the size of the console window to be larger.
Here you can see the parameters passed by kd.exe, such as -y , -i and, in fact, -z , which have been seen by everyone who knows about the widely known kdfe.cmd in narrow circles .
If we take by analogy with the common instructions, there are some minor differences: -nosqm and -sup are additionally passed as arguments .
As commands:
I will not paint them, because too much copy-paste will be released. Anyone interested will be able to find detailed debugger.chm help in either of the two * .msi mentioned above or on docs.microsoft.com -cpuid -sysinfo . In short - basic information about the gland of the victim.
The output of the script using kd.exe will be almost similar to the one that would have been possible when working directly through windbg, but the result is achieved much faster since you do not need to open anything, set up folders, open a dump through the menu and enter commands into the debugger.
For the first example, take a memory dump of a random user. There is a small problem with garbage in the output:
This happens, for example, in dumps of users using the odin activator, which we see in this example.
The full output is quite massive, because of the link to pastebin .
It is required to “filter out” unnecessary lines leaving only useful information.
I used findstr , it turned out such an ugly but working solution:
Here findstr uses two regulars: one searches for lines starting with three asterisks, one space and ending with a space and three asterisks. The second one looks for lines starting with 14 stars. I could not do anything more intelligible by means of findstr.
(I don’t recommend using the end of line characters in regulars findstr on the kd.exe exhaust, there may be problems with the end of the lines shown by the output of kd.exe. Instead of \ r \ n you can get \ n , which findstr does not consider the end of the line. Such rake itself.)
The whole code of the preliminary batch file with the “filter” is as follows:
The complete output of the filtered version is also on pastebin .
The result is the same, but without the "garbage". 290 lines of text against the 894's. Already better, but not all.
The next step is to add a log creation that could be posted or sent somewhere.
To do this, pass the kd.exe argument to -loga <"P: \ ut to \ log.log">
The code takes the following form:
To file 102516-21949-01.dmp be formed log 102516-21949-01.LOG in the same directory as the dump itself.
In this case, the output of "garbage" in the log is not filtered, only the output in the console is filtered, but in my case it does not matter, although you can fix it and clearing the log after it is created:
Now the last step, but not least, is the step: you need the ability to transfer the dump directly to windbg.exe and immediately transfer to it the commands that you most likely need to enter. Everything is done by analogy with kd.exe, the arguments and commands accepted by windbg.exe are almost identical to kd.exe
As a result, the dump will open immediately in the debugger and the commands listed in the -c key will be automatically executed in it .
The conclusion is similar to the very first variant with the difference that the dump is open immediately in windbg, it is possible to enter commands for further analysis due to the lack of q commands in the transmitted command list .
(By the way, if in previous versions of the script with kd.exe, you remove the q command transmitted in the command list with the -c argument , then the opportunity to continue working with the dump will appear there, including recording the log right in the process.)
Now all this needs to be modified to be able to be screwed to the context menu of * .dmp files. Actually, for what it was started.
These are the “one-liners”:
For the variant with filtering console output
For the variant with filtering console output and creating a log file
(I had to use deferred variable expansion )
To open the dump directly in windbg.exe
In the registry, created the following structure of sections:
A separate type of file dmp_geek was created in the registry sections of which was modified. Files with the extension * .dmp were assigned files of type dmp_geek .
In each section of the command, the corresponding one-liners + prettiness in the form of icons and convenient names of the displayed names of the items in the context menu were entered into the string parameter by default.
It turned out a tweak that adds the ability to massively open dumps in the console both in the console and in the debugger with “garbage” filtering and creating logs for each dump as needed. Saves quite a lot of time.
After “combing” the registry exported everything to the final REG file ready for use.
→ Download from Ya.Disk GEEK_DMP.reg
That's all. Now you can quickly, albeit superficially, immediately analyze a stack of dumps.
Much has already been written on the Internet about how to look for the cause and how it (depending on the situation), but what to do if you need to find out the reason as quickly as possible and you have to do it regularly like, for example, employees of services or regular computer forums?
Simplify the task can notorious tweaks of the context menu, the benefit they are made quite simple.
Training
Для начала понадобится установить пакет с дебаггером windbg.exe, консольным вариантом kd.exe и прочим необходимым содержимым.
Это пакеты X64 Debuggers And Tools-x64_en-us.msi или X86 Debuggers And Tools-x86_en-us.msi на выбор в зависимости от разрядности используемой ОС и/или личных предпочтений.
Отдельных ссылок на сайте microsoft вы не найдете, но данные пакеты находятся в составе Windows Driver Kit, его можно скачать без установки выбрав соответствующий режим работы инсталятора, пакеты по завершении скачивания будут лежать в папке \Windows Kits\10\WDK\Installers.
Если кому-то нужно, то я загрузил их отдельно на Я.Диск:
X64 Debuggers And Tools-x64_en-us.msi
X86 Debuggers And Tools-x86_en-us.msi
Я решил не устанавливать дебаггер, а просто распаковать msi:
Такого «портабельного» варианта более чем достаточно. После, для собственного удобства, переместил нужное содержимое из нескольких вложенных папок в C:\Portable\Debug, чтобы получилось:
+ все остальное. От этого пути и будем отталкиваться в дальнейшем (плюс я внес его в %PATH% опять же, для удобства).
На этом подготовительные мероприятия можно считать завершенными и переходить к описанию процесса создания твика.
Это пакеты X64 Debuggers And Tools-x64_en-us.msi или X86 Debuggers And Tools-x86_en-us.msi на выбор в зависимости от разрядности используемой ОС и/или личных предпочтений.
Отдельных ссылок на сайте microsoft вы не найдете, но данные пакеты находятся в составе Windows Driver Kit, его можно скачать без установки выбрав соответствующий режим работы инсталятора, пакеты по завершении скачивания будут лежать в папке \Windows Kits\10\WDK\Installers.
Если кому-то нужно, то я загрузил их отдельно на Я.Диск:
X64 Debuggers And Tools-x64_en-us.msi
X86 Debuggers And Tools-x86_en-us.msi
Я решил не устанавливать дебаггер, а просто распаковать msi:
msiexec /a "D:\Desktop\X64 Debuggers And Tools-x64_en-us.msi" /qb targetdir="D:\Desktop\Temp"Такого «портабельного» варианта более чем достаточно. После, для собственного удобства, переместил нужное содержимое из нескольких вложенных папок в C:\Portable\Debug, чтобы получилось:
C:\Portable\Debug\windbg.exe
C:\Portable\Debug\kd.exe+ все остальное. От этого пути и будем отталкиваться в дальнейшем (плюс я внес его в %PATH% опять же, для удобства).
На этом подготовительные мероприятия можно считать завершенными и переходить к описанию процесса создания твика.
Since my task assumes that there are many and often dumps, you need to speed up the process as much as possible, while at the same time making it sufficiently informative for a cursory analysis.
Understanding the keys and debugger commands
As a basis for the future tweak, let's take a batch file that is enough to drag the necessary dump.
For better perception of information, in my understanding, I inverted the colors of the console and set the size of the console window to be larger.
@echo off
title text %1modecon: cols=170color F0
title "%1"
kd.exe -nosqm -sup -z "%1" ^
-y srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -i srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -c ^
"!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q""
pauseexit /bHere you can see the parameters passed by kd.exe, such as -y , -i and, in fact, -z , which have been seen by everyone who knows about the widely known kdfe.cmd in narrow circles .
-i !ImagePath! specifies the locationof the executables that generated the
fault (see _NT_EXECUTABLE_IMAGE_PATH)
-y !SymbolsPath! specifies the symbol search path (see _NT_SYMBOL_PATH)
-z !CrashDmpFile! specifies the nameof a crash dump file todebugIf we take by analogy with the common instructions, there are some minor differences: -nosqm and -sup are additionally passed as arguments .
-nosqm disables SQM data collection/upload.
-sup enables fullpublic symbol searchesAs commands:
!cpuid
!sysinfo cpuinfo
!sysinfo cpuspeed
!sysinfo machineidI will not paint them, because too much copy-paste will be released. Anyone interested will be able to find detailed debugger.chm help in either of the two * .msi mentioned above or on docs.microsoft.com -cpuid -sysinfo . In short - basic information about the gland of the victim.
The output of the script using kd.exe will be almost similar to the one that would have been possible when working directly through windbg, but the result is achieved much faster since you do not need to open anything, set up folders, open a dump through the menu and enter commands into the debugger.
Filter garbage output from the console
For the first example, take a memory dump of a random user. There is a small problem with garbage in the output:
Screenshot of console output
This happens, for example, in dumps of users using the odin activator, which we see in this example.
The full output is quite massive, because of the link to pastebin .
It is required to “filter out” unnecessary lines leaving only useful information.
I used findstr , it turned out such an ugly but working solution:
findstr /r /v /c:"^\*\*\* .* \*\*\*" /c:"^\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*"Here findstr uses two regulars: one searches for lines starting with three asterisks, one space and ending with a space and three asterisks. The second one looks for lines starting with 14 stars. I could not do anything more intelligible by means of findstr.
(I don’t recommend using the end of line characters in regulars findstr on the kd.exe exhaust, there may be problems with the end of the lines shown by the output of kd.exe. Instead of \ r \ n you can get \ n , which findstr does not consider the end of the line. Such rake itself.)
The whole code of the preliminary batch file with the “filter” is as follows:
@echo off
title text %1modecon: cols=170color F0
title "%1"
kd.exe -nosqm -sup -z "%1" ^
-y srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -i srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols ^
-c "!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q" | findstr /r /v /c:"^\*\*\* .* \*\*\*" /c:"^\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*"
pauseexit /bThe complete output of the filtered version is also on pastebin .
The result is the same, but without the "garbage". 290 lines of text against the 894's. Already better, but not all.
Quickly create a debugger log
The next step is to add a log creation that could be posted or sent somewhere.
To do this, pass the kd.exe argument to -loga <"P: \ ut to \ log.log">
The code takes the following form:
@echo off
title text %1modecon: cols=170color F0
title "%1"
set "D=%1"
set L=%D:.dmp=.LOG%
kd.exe -nosqm -sup -loga "%L%" -z "%D%" ^
-y srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -i srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols ^
-c "!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q" | findstr /r /v /c:"^\*\*\* .* \*\*\*" /c:"^\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*"
pauseexit /bTo file 102516-21949-01.dmp be formed log 102516-21949-01.LOG in the same directory as the dump itself.
In this case, the output of "garbage" in the log is not filtered, only the output in the console is filtered, but in my case it does not matter, although you can fix it and clearing the log after it is created:
@echo off
title text %1modecon: cols=170color F0
title "%1"
set "D=%1"
set L=%D:.dmp=.LOG%
kd.exe -nosqm -sup -loga "%L%" -z "%D%" ^
-y srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -i srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols ^
-c "!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q" | findstr /r /v /c:"^\*\*\* .* \*\*\*" /c:"^\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*"
set CL=%L:.LOG=_CLEAN.LOG%type "%L%" | findstr /r /v /c:"^\*\*\* .* \*\*\*" /c:"^\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*" >> "%CL%"
del /f /q "%L%"
pauseexit /bOpening a dump in windbg
Now the last step, but not least, is the step: you need the ability to transfer the dump directly to windbg.exe and immediately transfer to it the commands that you most likely need to enter. Everything is done by analogy with kd.exe, the arguments and commands accepted by windbg.exe are almost identical to kd.exe
@echo off
windbg.exe -z "%1" -sup -y ^
"srv*C:\Symbols*http://msdl.microsoft.com/download/symbols" -i "srv*C:\Symbols*http://msdl.microsoft.com/download/symbols" -c "!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid"
exit /bAs a result, the dump will open immediately in the debugger and the commands listed in the -c key will be automatically executed in it .
The conclusion is similar to the very first variant with the difference that the dump is open immediately in windbg, it is possible to enter commands for further analysis due to the lack of q commands in the transmitted command list .
(By the way, if in previous versions of the script with kd.exe, you remove the q command transmitted in the command list with the -c argument , then the opportunity to continue working with the dump will appear there, including recording the log right in the process.)
Creating tweaks
Now all this needs to be modified to be able to be screwed to the context menu of * .dmp files. Actually, for what it was started.
These are the “one-liners”:
For the variant with filtering console output
cmd /d /k modecon: cols=170 & color F0 & title "%1" & kd.exe -nosqm -sup -z "%1" -y srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -i srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -c "!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q" | findstr /r /v /c:"^\*\*\* .* \*\*\*" /c:"^\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*"For the variant with filtering console output and creating a log file
(I had to use deferred variable expansion )
cmd /d /v /k modecon: cols=170 & color F0 & title "%1" & set "D=%1"& set L=!D:.dmp=.LOG! & kd.exe -nosqm -sup -loga "!L!" -z "!D!" -y srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -i srv*"C:\Symbols"*http://msdl.microsoft.com/download/symbols -c "!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q" | findstr /r /v /c:"^\*\*\* .* \*\*\*" /c:"^\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*"To open the dump directly in windbg.exe
"C:\Portable\Debug\windbg.exe" -z "%1" -sup -y "srv*C:\Symbols*http://msdl.microsoft.com/download/symbols" -i "srv*C:\Symbols*http://msdl.microsoft.com/download/symbols" -c "!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid"In the registry, created the following structure of sections:
A separate type of file dmp_geek was created in the registry sections of which was modified. Files with the extension * .dmp were assigned files of type dmp_geek .
In each section of the command, the corresponding one-liners + prettiness in the form of icons and convenient names of the displayed names of the items in the context menu were entered into the string parameter by default.
It turned out a tweak that adds the ability to massively open dumps in the console both in the console and in the debugger with “garbage” filtering and creating logs for each dump as needed. Saves quite a lot of time.
After “combing” the registry exported everything to the final REG file ready for use.
REG file contents
Windows Registry Editor Version5.00
[HKEY_CLASSES_ROOT\.dmp]
@="dmp_geek"
[HKEY_CLASSES_ROOT\dmp_geek]
@="dmp_geek"
"FriendlyTypeName"="Дамп памяти"
[HKEY_CLASSES_ROOT\dmp_geek\DefaultIcon]
@="imageres.dll,142"
[HKEY_CLASSES_ROOT\dmp_geek\shell]
[HKEY_CLASSES_ROOT\dmp_geek\shell\kd.exe]
"MUIVerb"="Kd.exe"
"Icon"="C:\\Portable\\Debug\\windbg.exe,6"
[HKEY_CLASSES_ROOT\dmp_geek\shell\kd.exe\command]
@="cmd /d /k mode con: cols=170 & color F0 & title \"%1\" & \"C:\\Portable\\Debug\\kd.exe\" -nosqm -sup -z \"%1\" -y srv*\"C:\\Symbols\"*http://msdl.microsoft.com/download/symbols -i srv*\"C:\\Symbols\"*http://msdl.microsoft.com/download/symbols -c \"!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q\" | findstr /r /v /c:\"^\\*\\*\\* .* \\*\\*\\*\" /c:\"^\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*.*\""
[HKEY_CLASSES_ROOT\dmp_geek\shell\kd.exe_-loga]
"MUIVerb"="Kd.exe -loga"
"Icon"="C:\\Portable\\Debug\\windbg.exe,6"
[HKEY_CLASSES_ROOT\dmp_geek\shell\kd.exe_-loga\command]
@="cmd /d /v /k mode con: cols=170 & color F0 & title \"%1\" & set \"D=%1\"& set L=!D:.dmp=.LOG! & \"C:\\Portable\\Debug\\kd.exe\" -nosqm -sup -loga \"!L!\" -z \"!D!\" -y srv*\"C:\\Symbols\"*http://msdl.microsoft.com/download/symbols -i srv*\"C:\\Symbols\"*http://msdl.microsoft.com/download/symbols -c \"!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid; q\" | findstr /r /v /c:\"^\\*\\*\\* .* \\*\\*\\*\" /c:\"^\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*.*\""
[HKEY_CLASSES_ROOT\dmp_geek\shell\Open]
"MUIVerb"="Windbg"
"Icon"="C:\\Portable\\Debug\\windbg.exe,6"
[HKEY_CLASSES_ROOT\dmp_geek\shell\Open\command]
@="\"C:\\Portable\\Debug\\windbg.exe\" -z \"%1\" -sup -y \"srv*C:\\Symbols*http://msdl.microsoft.com/download/symbols\" -i \"srv*C:\\Symbols*http://msdl.microsoft.com/download/symbols\" -c \"!analyze -v; !cpuid; !sysinfo cpuinfo; !sysinfo cpuspeed; !sysinfo machineid\""
→ Download from Ya.Disk GEEK_DMP.reg
That's all. Now you can quickly, albeit superficially, immediately analyze a stack of dumps.
Used materials, sources, useful links on the topic: